MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f814ed84163562b37e125034de6ecf0f81b1d637579467358581e87ac40c5b4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LimeRAT

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	f814ed84163562b37e125034de6ecf0f81b1d637579467358581e87ac40c5b4b
SHA3-384 hash:	797d47ded8771f8f3ff14623c04107b77bcf843164f574b689db711b1fb2e018db48219ff9a0eba5f3a138783edd8345
SHA1 hash:	7a6ee3b2b368867101b420abf44d843f3bd71692
MD5 hash:	c3ac41b63b7ec81660c6eed03cc7f643
humanhash:	lemon-leopard-equal-foxtrot
File name:	520sCish.exe
Download:	download sample
Signature	LimeRAT Create hunting rule
File size:	29'184 bytes
First seen:	2020-10-25 15:48:30 UTC
Last seen:	2020-10-25 16:50:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	768:ipZYZ62u3wt4B5AK45NR97zPCv8Kw/ej:ipz3wtAKjv7zPrW
Threatray	20 similar samples on MalwareBazaar
TLSH	85D27D0077E09346D39C5AB60FB162550E71DA1BB93BFB7D0CC950931E6BED18A84BE2
Reporter	johannes
Tags:	LimeRAT

viql

limerat via https://pastebin.com/raw/520sCish

Intelligence

File Origin

# of uploads :

# of downloads :

737

Origin country :

n/a

Vendor Threat Intelligence

Detection:

LimeRAT

Link:

https://www.capesandbox.com/analysis/75717/

Detection(s):

Win.Malware.Barys-6836745-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Using the Windows Management Instrumentation requests

Creating a window

DNS request

Sending a custom TCP request

Connection attempt

Result

Threat name:

LimeRAT

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/509551

Signature

Antivirus / Scanner detection for submitted sample

Connects to a pastebin service (likely for C&C)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Protects its processes via BreakOnTermination flag

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected LimeRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f814ed84163562b37e125034de6ecf0f81b1d637579467358581e87ac40c5b4b/

Threat name:

ByteCode-MSIL.Trojan.LimeRAT

Status:

Malicious

First seen:

2020-10-25 15:50:05 UTC

AV detection:

28 of 29 (96.55%)

Threat level:

5/5

Verdict:

unknown

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://tria.ge/reports/201025-529nchwcjx/

Behaviour

Suspicious use of AdjustPrivilegeToken

Legitimate hosting services abused for malware hosting/C2

Unpacked files

SH256 hash:

f814ed84163562b37e125034de6ecf0f81b1d637579467358581e87ac40c5b4b

MD5 hash:

c3ac41b63b7ec81660c6eed03cc7f643

SHA1 hash:

7a6ee3b2b368867101b420abf44d843f3bd71692

Link:

https://www.unpac.me/results/ff5f373d-b67d-441d-8bbe-c229257d2217/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Barys

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f814ed84163562b37e125034de6ecf0f81b1d637579467358581e87ac40c5b4b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://pastebin.com/raw/520sCish

Cape

https://www.capesandbox.com/analysis/75717/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample